Trojan.Bredolab is a Trojan horse that downloads and executes files from the Internet. It may arrive on the computer through email or a drive-by download. The Trojan also attempts to avoid detection by employing several evasion techniques.

InfectionBredolab has been observed using the following two primary methods of distribution:

Drive-by download

Email

A drive-by-download may occur when a user visits a website that has been rigged to contain an exploit. The exploit causes malware to be downloaded on to the user's computer without his or her consent.

The email distribution method employs social engineering tricks to convince the user to open the attachment in the email. All of the emails are crafted in such a way as to appear as legitimate as possible in order to deceive the user. It is also common for the threat to reuse themes but with slight variations on the body of the message and the attachment names. For example, these themes have already been observed:

Western Union free money

UPS delivery failures

Shop.corsair.com shipping confirmations

Facebook password changes

FunctionalityThe primary function of this threat is to download more malware on to the compromised computer. It is likely that the authors of the threat are associated with affiliate schemes that are attempting to generate money through the distribution of malware. The threat may also be used to help construct a bot network that can be sold or hired for monetary gain.

Self-protectionIt also employs the following techniques in order to avoid detection:

Server-side polymorphism - the threat constantly changes its method of packing and its appearance in order to avoid detection

Anti-debugging tricks - the threat performs checks to determine whether it is executing within a debugging environment

Encoded communication - all communication between the threat and the remote server uses encryption

GEOGRAPHICAL DISTRIBUTION Symantec has observed the following geographic distribution of this threat.

PREVALENCESymantec has observed the following infection levels of this threat worldwide.

SYMANTEC PROTECTION SUMMARYThe following content is provided by Symantec to protect against this threat family.